Vulnerability Note VU#41870
Sun Solstice AdminSuite ships with insecure default configuration
The sadmind service provided on many Solaris and SunOS systems ships with an insecure default configuration that allows remote users to execute arbitrary commands with superuser (root) privileges.
The Sun Microsystems Solstice AdminSuite is a graphical tool that allows Solaris and SunOS hosts to be administered by a remote host. The daemon portion of the program (sadmind) is a setuid root application that listens for requests from a remote administration client. In its default configuration, sadmind accepts requests using "AUTH_SYS" authentication, which uses plaintext authentication in a format that can be easily manipulated by an attacker. Since sadmind is designed to allow the remote execution of arbitrary commands, an attacker who is able to spoof the authentication portion of a packet can execute commands with little difficulty.
The daemon can be configured to operate securely by specifying a security level of 2, which causes sadmind to require "AUTH_DES" authentication. This capability has existed since at least April 1999, when the sadmind man page was updated for SunOS 5.9. The recommendation to use security level 2 was provided in Sun Security Bulletin #00191 and CERT Advisory CA-1999-16, so it is likely that many Solaris systems have been configured to disable this service. However, the insecure default configuration is still shipped with modern releases of Solaris, so system administrators are encouraged to review their configurations.
Affected systems allow remote users to execute arbitrary commands with the privileges of the sadmind daemon, typically superuser (root).
The CERT/CC is not aware of a permanent solution that addresses this vulnerability.
Configure sadmind to use AUTH_DES authentication
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sun Microsystems Inc.||Affected||03 Apr 1999||19 Sep 2003|
CVSS Metrics (Learn More)
The CERT/CC thanks Sun Microsystems for acknowledging this vulnerability.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2003-0722
- Date Public: 03 Apr 99
- Date First Published: 19 Sep 2003
- Date Last Updated: 19 Sep 2003
- Severity Metric: 104.74
- Document Revision: 21
If you have feedback, comments, or additional information about this vulnerability, please send us email.